Defending against keyloggers

[deepsand]

Most of us have, at one time or another, been forced with the choice between using an untrusted machine for logging in to a sensitive account and not being able to accomplish a critical task on a timely basis. And, when using an untrusted machine there is always the possibility of its having been compromised by a keylogger.

However, it is possible to obfuscate the credentials data being typed, so that a keylogger will be effectively neutralized.

While the method here described is not new, it is one that few know of; and, more importantly, one that requires substantial resources if a keylogger is to extract the real data. Given that few employ this method, it is probable that few, if any, keyloggers have untaken to deal with it.

Quoting from Scott Dunn's article in Windows Secrets Newsletter, Issue 213, 2009-09-10,

"Your best defense is not to use any untrusted computer to sign in to any site that contains banking or sensitive personal information. When you simply must take a chance on using a random PC, however, you can minimize the risk — if not eliminate it.

Security blogger Ian Saxon publishes an approach that may not be 100% foolproof but should provide some reasonable protection when entering passwords. Writing on his Defending the Kingdom site, Saxon outlines what he calls the "revised Vesik method" for entering passwords:

1. Step 1. Click in the password box and type three random characters, mixing upper and lower case, numbers, etc.
   
   
2. Step 2. Use your mouse or the Shift and arrow keys to select the characters you just typed. Then type three more random characters or a portion of your password, replacing the characters you typed previously. (Mixing random characters with actual parts of the password makes it more difficult for keyloggers to identify your password.)
   
   
3. Step 3. Repeat steps 1 and 2 a few times. The more often you repeat the process, the harder it will be for an intruder to discern your password when examining the keylogger file.
   
   
4. Step 4. Click to the left or right of your password segment and follow steps 1 to 3 to add a few more characters.
   
   
5. Step 5. Repeat the process, adding a few more characters of your password on each cycle until your entire password is in the password box. Then sign in to the site.

This procedure clutters the keylogger's log file with a series of click events and characters. There's no easy way for the intruder to know which characters are your password and which are random.

The key is to select and gradually overtype gibberish characters with your actual password characters. Don't simply type some garbage, backspace over it, and then enter your real password. Most keyloggers compensate for backspacing but can't keep track of characters you select and overtype.

As Saxon points out, this method isn't foolproof. For example, if you use an untrusted PC to sign in to the same site twice — and you don't use identical gibberish each time — a hacker could compare the two captured keystroke sequences and possibly figure out which characters constitute your actual password.

However, most crooks are looking for "low-hanging fruit." They'll move on to another victim rather than spend a lot of time trying to filter your password out of the noise.

Of course, if we all used the Vesik method to obscure our passwords, hackers might develop keyloggers that track this kind of data entry, too. But most people don't conceal their passwords in noise, so keyloggers don't compensate for it."

Saxon's article, with example, can be found via the above link.

[Doc]

Gads, I haven't seen that in a long time! Given the "low hanging fruit" aspect, though, it's probably as valid as it ever was.

[deepsand]

No point in unnecessarily investing time & resources in developing an app. that requires more resources than needed.

Given the number of users who are wholly unaware of or unconcerned about keyloggers, and, of those who do and are, mistakenly think that copy-and-paste, or a change in focus while typing, it's likely that such obfuscation will have a very high probability of sufficing for a very long time to come.

[alphaomega]

Thanks for sharing. A very good method. Out of the chances to grt nailed, this reduces the odds.

[deepsand]

Well, there is the old adage that everything old becomes new again. And, this one fits the case.

[Doc]

Well, there is the old adage that everything old becomes new again. And, this one fits the case.

Unlike you and I.

[deepsand]

I'll have to ask you to here speak for yourself alone.

In all actuality, though the body may at times demur, I really am quite young of mind. And, given your evidenced interest in continuing to learn and try new things, I'll bet that the same holds true for you.

[Doc]

I'll have to ask you to here speak for yourself alone.

In all actuality, though the body may at times demur, I really am quite young of mind. And, given your evidenced interest in continuing to learn and try new things, I'll bet that the same holds true for you.

Well, that's one way to look at it.

But then there's another, as well. Perhaps I'm eager to learn more, because I've forgotten so much! alm:

[deepsand]

Perhaps the ability to purge ones mind of unneeded memories, thus freeing up space for new ones, is a mark of the eternally young.

[Doc]

Perhaps the ability to purge ones mind of unneeded memories, thus freeing up space for new ones, is a mark of the eternally young.

I can only hope.

l recall seeing a keylogger detector/blocker that could be run from a USB device, as well. That seemed like a pretty good deal, for someone that travels a lot, without a laptop. Unfortunately, I (predictably) don't recall where I saw it.